Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How to confirm/monitor if traffic is passing through the NSRP device

0

0

Article ID: KB11201 KB Last Updated: 15 Sep 2020Version: 5.0
Summary:

When setting up a pair of firewall devices in an NSRP Active / Passive configuration, it is always a good idea to check or test if traffic is passing through the firewalls before fully deploying the configuration. This check should also be performed after testing the NSRP failover function.

This article is designed to provide a general idea of the commands that are helpful to confirm/monitor traffic running through a device.

 

Solution:

The "snoop" function provides information about how a device deals with a packet. However, without a proper filter configured, the buffer log could be huge and it would be hard to focus on the flow that you may be interested in. An example of such a filter configuration is described below.

Setup

In the article, a host with IP address 1.1.1.1 is connected to interface ethernet1 in the Untrust zone, and another host with IP address 2.2.2.2 is connected to interface ethernet2 in the Trust zone (see diagram below).                                                                             

                Untrust      |       Trust
[PC1]-----------<eth1>[FW]<eth2>------------[PC2]
1.1.1.1                                   2.2.2.2

Notes to Consider

  • Confirming whether traffic is passing through a device is usually done by monitoring at the application level of PC1 or PC2.

  • In addition to Debug and snoop, the Interface Statistic counter (which describes how many packets are coming in to and how many packet going out from the device) provides helpful information for identifying the interface at which the traffic stops. 

  • Optionally, during the test,  get session src-ip <PC1> dst-ip <PC2> can be issued to show sessions of the traffic that you are interested in.

  • Last, after the test finishes, it is recommended to redirect get dbuf stream via a TFTP server to a file when the size of dbuf is huge.

Check / Monitor Traffic

step1 To initially prepare the device, unset any debugs and clear the debug buffer.  For additional snoop information, consult: KB5411 - How do you use Snoop for Troubleshooting?

undebug all
clear dbuf

step2  Set up snoop filters to narrow the data capture by using the following commands:

snoop filter ip src-ip 1.1.1.1 dst-ip 2.2.2.2
snoop filter ip src-ip 2.2.2.2 dst-ip 1.1.1.1

step3  Verify the snoop setup:

snoop info

step4  Monitor the interface counter before (and after) the test:

get counter statistics interface ethernet1 | include "in packets"
get counter statistics interface ethernet2 | include "in packets"

or in short:

get count sta int eth1 | i "in packet"
get count sta int eth2 | i "in packet"

Example: PING from PC1 to PC2 is the traffic that we are interested in. After 4 PING packets complete, both "in packets" and "out packet" will increase by 4 equally.

Before start of 4 PINGs

in packets          1746 | out packets          469 | late frame             0
in packets          1746 | out packets          469 | tear drop              0

After 4 PINGs complete

in packets          1750 | out packets          473 | late frame             0
in packets          1750 | out packets          473 | tear drop              0

step5  Enter the command "snoop" to start capturing data.

snoop  
Start Snoop, type ESC or 'snoop off' to stop, continue? [y]/n Y

step6  Generate traffic through the firewall device. Typically pinging from PC1 to PC2 will work, but if ping is blocked then run any other application between PC1 and PC2.

step7  To monitor related session during the test, run the command shown below.

get session src-ip 1.1.1.1 dst-ip 2.2.2.2
get session src-ip 2.2.2.2 dst-ip 1.1.1.1

If a session is not displayed in the output, traffic is not passing through the device. A policy could be blocking the traffic. Troubleshoot why the traffic is not passing.

step8  Stop the snoop trace and view the log after the test:
snoop off
get dbuf stream

(or when the dbuf size is large (i.e. if 'set db size' is set to 4096))

get dbuf stream > tftp [IP address] [Filename]

Sample Output

11763889.0: ethernet1(i) len=74:0015582744c2->0010db739082/0800
              1.1.1.1 -> 2.2.2.2/1
              vhl=45, tos=00, id=61429, frag=0000, ttl=128 tlen=60
              icmp:type=8, code=0
 
11763889.0: ethernet2(o) len=74:0010db739081->00005e000881/0800
              1.1.1.1 -> 2.2.2.2/1
              vhl=45, tos=00, id=61429, frag=0000, ttl=127 tlen=60
              icmp:type=8, code=0

In the Sample Output above, the ICMP packet with ID 61429 is coming in interface ethernet1 and going out interface ethernet2.

Note:  On ISG-1000, ISG-2000, and NS-5000 devices, you will not see the outgoing packet in the Snoop output for TCP-based applications because the session is running in the ASIC; this is expected behavior so you may need an external packet sniffer to see those packets.  However, you will see the outgoing packet on these devices for ICMP sessions.

For additional assistance with reading the Snoop output, consult KB6708 - How do I interpret the snoop output?

step9  Check the Monitor interface counters once again (same as in Step 4) and confirm whether the number of IN and OUT packets are incrementing.

get counter statistics interface ethernet1 | include "in packets"
get counter statistics interface ethernet2 | include "in packets"

 

Modification History:

2020-09-15: Article checked for accuracy; article valid and relevant; no changes required

 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search